Co-ordinate EU defences or risk losing cyber battles

Imagine this scenario: all important institutions of a country find their access to the internet blocked. Highly developed software deletes vital data. The country is thrown back into the information Stone Age. There is a total information black-out.

This, though, is not an imaginary scene. It has already happened in the EU – in 2007, when cyber attacks paralysed Estonia’s government and banking system.

It is not just national IT infra-structures that have been attacked; in January, thieves hacked into national emission-trading registers in EU member states and stole approximately €30 million of emissions, forcing the EU’s entire system to be closed down. This was just one of the increasingly frequent attacks on EU-level institutions.

Most experts believe this is just the beginning: the wars and conflicts of the future, both military and economic, will be fought on data highways. The attacks on Estonia, Georgia and, most recently, North Korea’s attacks on South Korean agricultural co-operative bank Nonghyup, clearly illustrate that we are now confronted with a new dimension of crime and a new kind of asymmetric warfare.

The EU and its member states appear unfit to counter such threats: member states are taking some good measures but capabilities are uneven, legislation is patchy, and policies are unco-ordinated.

The EU already has some tools and an agency: in 2004, it created the European Network and Information Security Agency (ENISA), to improve network and cyber-security. It advises and helps the European Commission and the member states, it collects and analyses data on security incidents, and has a general remit to promote the exchange of best practice between member states.

But this is not enough: the unco-ordinated national, international and EU-level approaches to cyber-security leave gaps, inconsistencies and incoherent decision-making processes that can be exploited.

Last September, the Commission proposed that ENISA’s mandate should be expanded, to allow it to act as a forum for law-enforcement agencies and data-protection authorities.

This, though, amounted to advocating ‘business as usual plus extras’. Its proposal should have been much more ambitious.

ENISA is currently the interface between all departments of the Commission that are involved in cyber-security. It also provides its expertise to member states.

But there is no strong EU-level contact point to which member states and EU institutions can refer on network and cyber-security issues – a problem highlighted during the attacks on the emissions-trading system. ENISA could provide this point of contact.

It is especially important to give it such a role in standardisation – one of the most powerful preventative measures available. ENISA could provide a platform between governments, institutions and industry, and could push pro-actively for harmonisation. Ultimately, the EU’s goal should be to establish a legal framework with partners abroad to set minimum cyber-security standards and to co-ordinate national policies and implementation measures.

Moreover, ENISA should also play an active role in the EU’s research and development policy; at present it does not influence spending. A sustainable cyber-security strategy is impossible without continuous R&D.

The EU was forward-looking when it established ENISA, and in the years since then ENISA has earned the respect of those in the information-security business. But we now need to look forward again. With more power and with deeper integration into European structures, ENISA could be one of the most important actors in efforts by the EU and its member states to build up cyber-security structures capable of countering the cyber-threats we face today.

Christian Ehler is a German centre-right MEP. Jorgo Chatzimarkakis is a German liberal MEP.